The Raspberry Robin worm is becoming an access-as-a-service malware for deploying other payloads, including IcedID, Bumblebee, TrueBot (aka Silence), and Clop ransomware.
It is “part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread,” the Microsoft Security Threat Intelligence Centre (MSTIC) said in a detailed write-up.
Raspberry Robin, also called QNAP Worm owing to the use of compromised QNAP storage servers for command-and-control, is the name given to a malware by cybersecurity company Red Canary that spreads to Windows systems through infected USB drives.
MSTIC is keeping tabs on the activity group behind the USB-based Raspberry Robin infections as DEV-0856, adding it’s aware of at least four confirmed entry points that all have the likely end goal of deploying ransomware.
The tech giant’s cybersecurity team said that Raspberry Robin has evolved from a widely distributed worm with no observed post-infection actions to one of the largest malware distribution platforms currently active.
images from Hacker News